Bugtraq mailing list archives
Re: Analysis of trin00
From: stefan () AESCHBACHER COM (Stefan Aeschbacher)
Date: Thu, 9 Dec 1999 00:21:51 -0800
Hi here are some snort rules which could show the presence of a trin00 network in the observed IP-range. This rules work only as long as the ports/passwords/protocol aren't changed. The rules are not tested, they rely on the paper of Dave Dittrich posted in Bugtraq (for more information see this great paper). If you have programs using high numbered UDP ports some of the rules will give false alarm. Another way to identify trin00 would be the search for the packets that contain one of the daemon or master commands. Unfortunately most of them are strings which are common on a network (e.g. quit, help) but some of them could be used to detect trin00. If you see several of this alerts, there's probably an attack running, that's more or less the only time this rules can detect trin00. # Trin00 commands are sent alert tcp any any -> 192.168.1.0/24 27665 (msg:"Trin00: Attacker to Master";) alert tcp any any -> 192.168.1.0/24 27665 (msg:"Trin00: Attacker to Master (default startup pass detected!)"; content:"betaalmostdone";)) alert tcp any any -> 192.168.1.0/24 27665 (msg:"Trin00: Attacker to Master (default r.i. pass detected!)"; content:"gOrave";)) alert tcp any any -> 192.168.1.0/24 27665 (msg:"Trin00: Attacker to Master (default mdie pass detected!)"; content:"killme";)) alert udp any any -> 192.168.1.0/24 27444 (msg:"Trin00: Master to Daemon";) alert udp any any -> 192.168.1.0/24 27444 (msg:"Trin00: Master to Daemon (default pass detected!)"; content:"l44adsl";) alert udp any any -> 192.168.1.0/24 31335 (msg:"Trin00: Daemon to Master";) alert udp any any -> 192.168.1.0/24 31335 (msg:"Trin00: Daemon to Master (*HELLO* detected)"; content:"*HELLO*";) alert udp any any -> 192.168.1.0/24 31335 (msg:"Trin00: Daemon to Master (PONG detected)"; content:"PONG";) alert udp any any -> 192.168.1.0/24 31335 (msg:"Trin00: Daemon to Master (message detected)"; content:"l44";) Stefan Aeschbacher -- Stefan Aeschbacher Federal Institute of Technology Where do you want to go today? Lausanne Switzerland http://www.aeschbacher.ch/stefan - NOT in your direction! -
Current thread:
- new IE5 remote exploit Jeremy Kothe (Dec 05)
- Re: new IE5 remote exploit Dustin Miller (Dec 06)
- Re: new IE5 remote exploit krisp (Dec 06)
- Analysis of trin00 Dave Dittrich (Dec 07)
- Re: Analysis of trin00 Stefan Aeschbacher (Dec 09)
- Re: Analysis of trin00 Jacob Langseth (Dec 09)
- ISSalert: ISS Security Advisory: Buffer Overflow in Solaris Snoop Aleph One (Dec 09)
- Re: Analysis of trin00 Stefan Aeschbacher (Dec 09)
- xsw 1.24 remote buffer overflow Aleph One (Dec 09)
- Re: new IE5 remote exploit Dustin Miller (Dec 06)
- Analysis of Tribe Flood Network Dave Dittrich (Dec 07)
- Re: Analysis of Tribe Flood Network Mixter (Dec 08)
- Re: Analysis of Tribe Flood Network Stefan Laudat (Dec 10)
- Error in System Policies Adam Simms (Dec 10)
- Re: Analysis of Tribe Flood Network Mixter (Dec 11)
- Big problem on linux 2.0 visi0n (Dec 11)